Spam issue, trying to understand exim log

[fernandomm]

Hello,

I am having some issues with spam on my server. I have received a report from aol and, using the from header, got the message IDs. Here it is one of them:

Code:

2009-11-24 23:00:10 [25870] 1ND3Qg-0006jG-8y <= medsex1@yahoo.com H=localhost (myhostname.com) [127.0.0.1]:44846 I=[127.0.0.1]:25 P=smtp S=1084 id=003d01c45ea6$231c589f$b2b07d80@ljfvbxnv T="SEX NO PROBLEMS!" from <medsex1@yahoo.com> for mbayguy@comcas.net
2009-11-24 23:00:10 [25873] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y ** mbayguy@comcas.net F=<medsex1@yahoo.com> R=fail_remote_domains: The mail server could not deliver mail to mbayguy@comcas.net.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-11-24 23:00:10 [25878] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25878] 1ND3Qg-0006jO-K9 <= <> R=1ND3Qg-0006jG-8y U=mailnull P=local S=2025 T="Mail delivery failed: returning message to sender" from <> for medsex1@yahoo.com
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y Completed QT=0s

I can't identify how the spam is being send and who is sending it. According to this logs the user is using a script, right?

Shouldn't the username appear at U=mailnull? Because mailnull is the user that exim runs, right?

Thanks!

[thewebhostingdi]

You can check the mail logs if you have an access to the server by firing the below command:

cat /var/log/exim_mainlog | grep 1ND3Qg-0006jG-8y

By firing the above command you might get the domain name from which SMTP authentication the spam mail was sent.

[Denis Mischenko]

Hello,

I've found this issue too.
With the default cPanel configuration(setup) you are able to connect to localhost port 25 and send the messages without authentification.
Usually it's used along with server hostname in the from field.

Code:

[18:04] [server1 etc] # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-server1.xxx.tld ESMTP Exim 4.69 #1 Wed, 02 Dec 2009 18:04:35 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo server1.xxx.tld
250 server1.xxx.tld Hello localhost [127.0.0.1]
mail from: <support@server1.xxx.tld>
250 OK
rcpt to: <ard@xyy.tld>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: Testing spam!!!
SPAMMED.
.
250 OK id=1NFyG5-0006t1-BZ
quit
221 server1.xxx.tld closing connection
Connection closed by foreign host.

And such messages are accepted and set to external addresses. This can be stopped by removing main domain from /etc/localdomains or by adding deny acl for the following conditions:

Code:

hosts = 127.0.0.1
condition = ${if match_domain{$sender_address_domain}{${primary_hostname}}{yes}{no}}

However this does not protect from use of the other domains owned by the other users. So anyone who will find what domains are hosted on the server will be able to send spam on behalf of that users.

Enable authentification on localhost? Changes in the /etc/exim.conf are not persistent. Also can authentification create issues for the other services?

[cPanelDon]

Hello,

I am having some issues with spam on my server. I have received a report from aol and, using the from header, got the message IDs. Here it is one of them:

Code:

2009-11-24 23:00:10 [25870] 1ND3Qg-0006jG-8y <= medsex1@yahoo.com H=localhost (myhostname.com) [127.0.0.1]:44846 I=[127.0.0.1]:25 P=smtp S=1084 id=003d01c45ea6$231c589f$b2b07d80@ljfvbxnv T="SEX NO PROBLEMS!" from <medsex1@yahoo.com> for mbayguy@comcas.net
2009-11-24 23:00:10 [25873] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y ** mbayguy@comcas.net F=<medsex1@yahoo.com> R=fail_remote_domains: The mail server could not deliver mail to mbayguy@comcas.net.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
2009-11-24 23:00:10 [25878] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1ND3Qg-0006jG-8y
2009-11-24 23:00:10 [25878] 1ND3Qg-0006jO-K9 <= <> R=1ND3Qg-0006jG-8y U=mailnull P=local S=2025 T="Mail delivery failed: returning message to sender" from <> for medsex1@yahoo.com
2009-11-24 23:00:10 [25873] 1ND3Qg-0006jG-8y Completed QT=0s

I can't identify how the spam is being send and who is sending it. According to this logs the user is using a script, right?

Shouldn't the username appear at U=mailnull? Because mailnull is the user that exim runs, right?

Thanks!

There is not enough detail in the provided log data to know for certain what generated the initial SMTP connection from localhost.

To help with future occurrences, please consider adjusting the Exim configuration via the Exim Configuration Editor in WHM.

WHM, Main >> Service Configuration >> Exim Configuration Editor:
"Set the Sender: Header when the mail sender changes the sender (-f flag passed to sendmail)."
Set to Enabled by ensuring the checkbox is ticked.
The above option will ensure the e-mail sender header is properly set as the true sender, such as "nobody" or whichever user ran the script if using SuPHP or which e-mail account the script used for authentication; this also helps with tracking Spam that slipped by and is later reported back to you by way of receiving a copy of the full e-mail headers.

WHM, Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor
In the first text box on the above page add the following line:

Code:

log_selector = +all -ident_timeout -pid

This step will help generate more detailed Exim logging data.

[tiolalu]

Hello,

I've found this issue too.
With the default cPanel configuration(setup) you are able to connect to localhost port 25 and send the messages without authentification.
Usually it's used along with server hostname in the from field.

Code:

[18:04] [server1 etc] # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-server1.xxx.tld ESMTP Exim 4.69 #1 Wed, 02 Dec 2009 18:04:35 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
helo server1.xxx.tld
250 server1.xxx.tld Hello localhost [127.0.0.1]
mail from: <support@server1.xxx.tld>
250 OK
rcpt to: <ard@xyy.tld>
250 Accepted
data
354 Enter message, ending with "." on a line by itself
Subject: Testing spam!!!
SPAMMED.
.
250 OK id=1NFyG5-0006t1-BZ
quit
221 server1.xxx.tld closing connection
Connection closed by foreign host.

I'm sorry that I rescued this post like an archaeologist, but I'm having the same problem and I can't find the solution after looking for it hardly.

Can enyone, please, tell me how to make all smtp connections to authenticate?
So when anyone insert the "rcpt to" the system answer: "550 authentication required"

Thanks in advance,
Best regards.

PD: I forgot it. I'm running an VPS with cPanel 11.25.0-STABLE S45750

[tiolalu]

Ok I found the "problem". If you logged in the last 30 min. you are able to send mails without authenticate.

Now I'll look closely the access log.

[cPanelDon]

Ok I found the "problem". If you logged in the last 30 min. you are able to send mails without authenticate.

Now I'll look closely the access log.

To avoid that behavior simply disable Antirelayd via the Service Manager in WHM at the following menu path (with linked documentation): WHM: Main >> Service Configuration >> Service Manager